All organisations apply risk management in some form, although it may not be in a structured manner. What ERM does is provide a structured format for its implementation. But one of the biggest mistakes risk managers can make is to focus too much on the formal or compliance side of ERM. Eight red-flag areas that risk professionals should be aware of, were the main points of a recent IERP® Tea Talk by Ramesh Pillai, Chairman of the Institute’s Board of Governors. Describing the formal, compliance side of risk management as a “necessary evil,” he said that while this ensures consistency and repeatability, it was not a first priority.
Wrong emphasis
Many firms – and CROs – emphasise close adherence to risk management standards without connecting these to organisational decision-making. They should instead work on harmonising the firm’s vision, mission, strategies and objectives; these are practical aspects to which ERM should be applied. There is also a tendency to apply “best practices” which may be unsupported; these best practices which may not be science-based or tested robustly enough, may eventually cause other problems. Resources may be deployed incorrectly. For instance, there is no real immediate need for risk appetite statements, so trying to develop one up front may be a waste of effort.
Ignoring existing practices
Risk management is neither new nor unique; it has been around for some time. Most companies have practised it in some form or other, perhaps even without knowing it. Their management teams may have already done quantitative risk analysis, or run scenarios on the budget, or conducted sensitivity analysis on investment projects. All these are risk management measures, as are running simulations when designing new products, diversifying project portfolios, and setting different pricing for different markets. It is usually easier to build a totally new process than to improve on an existing one, but in the case of risk management, the firm should build on existing processes and decisions.
Taxonomy rather than objective-centric
Applying taxonomy to risk management, rather than taking the objective-centric approach is not in line with best practices, but risk management and/or internal audit consultants – who may be unqualified or uninformed – may not understand the objective-centric approach. This lack of understanding may extend to the Board and management as well, leading to less support of good and effective risk management within the organisation. Those tasked with risk management may also be unqualified, or inappropriately qualified; they may not know that depending on taxonomy leaves the organisation open to blind spots. These potential gaps and blind spots in risk management may be fatal to the firm.
Non-alignment of Vision, Mission, Strategies and Objectives
Risk management is about the achievement of the organisation’s objectives. There is therefore a need for goal harmonisation, to align the firm’s vision, mission, strategies and objectives. This should be done holistically, and cascaded down to all departments or units so that they can align respectively. But sometimes, Board and management may not be aware of the need to align for effective ERM, and this can result in a lack of support and unwillingness to commit resources to achieve harmonisation.
Lack of depth of ERM understanding
Together with the lack of awareness comes a shortfall in the understanding of what ERM entails, and why proper training, qualification and mentoring are necessary. ERM needs continuous professional education. “People don’t understand the real benefits of ERM,” Ramesh remarked, adding that seniority was often -prioritised over knowledge of ERM’s more current approaches. However, staff who have been in their positions longer, although more senior, may have dated knowledge and will be unable to do the job.
Lack of emphasis on improving decision-making
ERM is also about improving the quality of decision making. Effective risk management requires proper understanding of risk decision making in relation to the company’s particular situation, including the processes in place. It requires strong risk leadership that includes maturity and credibility, and the ability to get buy-in from the related parties when implementing these risk decision processes, such as when applying automation or digitisation to various sectors of the organisation. There is sometimes an incomplete understanding of what constitutes automation and what going digital actually means, for example. Incomplete understanding of issues can lead to decision-making which is not appropriately informed, which may impact negatively on the organisation.
Implementing what you know, instead of what the company needs
Risk professionals need to seek out proper technical knowledge, Ramesh said. In risk management, there is no “one-size-fits-all” and the concepts learned in the course of training may not be fully understood or be improperly applied; “heat maps” is one example. “These don’t work unless you understand their limitations and know exactly how to apply them,” he said.
Lack of ownership and implementation of the Three Lines of Defence
This usually stems from insufficient risk education and the lack of awareness of what risk management actually entails. It may also be the reason for the limited buy-in on the part of those who should be involved, and the support of Board and management, resulting in a lack of credibility for ERM. Very often, there is no explanation of ERM’s advantages to the line, or why they need to follow its frameworks, policies and processes. If there is no proper understanding, there will be insufficient engagement, and a further decline in credibility.
To remedy situations where these red flags exist, and increase risk management activities, Ramesh suggested that risk professionals start by constantly keeping up to date with ERM practices through networking and mentoring. Being current with what is “out there” is a means of educating the Board and senior management, and being a source of knowledge for subordinates and contemporaries. It also shores up credibility and could improve stakeholder confidence. Risk professionals must constantly maintain their competency levels while identifying and addressing red flag situations, in order to lead ERM implementations.